Description
In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Multiple functions in the Android framework can be triggered to inject arbitrary SQL statements into the contacts database. The injection could allow an attacker to read or modify sensitive personal data and, because of the privilege model of the contacts provider, could promote a local application to a higher privilege context without requiring additional execution rights. Based on the description, this escalation could enable operations normally reserved for system level components.

Affected Systems

The vulnerability affects devices running the Android operating system distributed by Google, including Android 14.0, 15.0, and 16.0 releases. The CPE data also lists the 16.0 qpr2 beta series (qpr2_beta_1, qpr2_beta_2, qpr2_beta_3), indicating that the flaw is present across these baseline and beta builds until a related security update is applied.

Risk and Exploitability

Exploitability appears high, as the vulnerability requires only local code execution on the device and no user interaction. The CVSS score of 7.8 indicates high severity, while the EPSS score of < 1% reflects a low probability of exploitation. This vulnerability is not listed in the CISA KEV catalog. An attacker with local access to a device containing the vulnerable component can exploit the flaw.

Generated by OpenCVE AI on June 3, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the most recent Android security update released by Google that addresses the contacts provider SQL injection flaw.
  • Review installed applications and revoke or uninstall any that request sensitive contacts permissions unless they are essential, using Android's permission manager.
  • Configure device management policies to limit database access for non‑system apps, such as applying SELinux policies or OS‑level sandboxing, to reduce the attack surface.

Generated by OpenCVE AI on June 3, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Android Contacts Provider SQL Injection Vulnerability Allowing Local Privilege Escalation

Wed, 03 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:* cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:*

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Title Android Contacts Database SQL Injection Enables Local Privileged Escalation
Weaknesses CWE-94

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title Android Contacts Database SQL Injection Enables Local Privileged Escalation
Weaknesses CWE-89
CWE-94

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-03T12:53:51.201Z

Reserved: 2025-10-15T15:41:00.964Z

Link: CVE-2026-0075

cve-icon Vulnrichment

Updated: 2026-06-02T13:31:08.667Z

cve-icon NVD

Status : Modified

Published: 2026-06-01T22:16:21.650

Modified: 2026-06-03T14:16:31.447

Link: CVE-2026-0075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:15:08Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')